What Stuxnet means for the process industry

The Stuxnet and Aurora attacks have shown us that malware development has become a professional job. These threats targeting the process industry were written by highly intelligent developers, financed by huge investors, and possibly even by governments.

Yet every time a new attack is discovered, experts are left wondering how the malware was developed so quickly. And while the experts are scratching their heads about the attack du jour, the cyber criminals are already working on a new, even stealthier attack. What’s even more troubling, the criminals are getting increasingly ambitious, raising the stakes even higher. In the old days, they were satisfied stealing money from bank accounts, but now the ultimate goal is stealing data and propriety corporate information. We’re not far from a world in which the criminals are trying to gain total control of industrial processes to impose destruction or possibly harm the health of the population.

Attacks on the rise
In early 2010, the networks of several Fortune 100 companies, including Google China, were hacked by what was later called the Aurora attacks. More than 30 large companies fell victim to the attack, even though they were running their networks with security and intrusion prevention software. This illustrates just how sophisticated the attack was.

Aurora was able to penetrate these networks through an unpatched security leak in Internet Explorer (or so-called zero day leak) that – up until then – had not been discovered. Of course, by the time the malware was finally detected, the targeted corporate information was already stolen. At the time, security experts described Aurora as “the most sophisticated malware ever’ – although it turned out to be more of an inconvenience than an attack with devastating consequences.

But it wasn’t long before Aurora was supplanted by Stuxnet in late 2010. The Stuxnet developers far exceeded Aurora in one key aspect. Unlike its predecessor, Stuxnet did not rely on one zero day leak, it used no less than four. This malware wasn’t meant to attack many individual computers – it was meant for a networked group of them. To do this, however, the malware needed to make physical contact with the devices through USB sticks, scanners, or shared printers. Despite this limitation, Stuxnet succeeded in infecting dozens of industrial enterprises all over the world. There are indications the main target was nuclear reactors in Iran. Considering this, even though the malware was detected in the nick of time, its potential for destruction could have been devastating.

Protecting the process industry
Stuxnet shows just how plausible a threat scenario is – not just in Iran, where the patching policy might not be as strong it should be – but also in North America and Europe. Even organizations that implement security measures are vulnerable to attacks. For instance, in the Dutch process industry, control systems are not attached to the corporate network, providing some protection against a large attack. Yet even though the process systems are on their own “island,” they do have infrastructural connections to “the mainland,” even if only through a handful of people who have access to both.

While this approach does create a buffer of sorts, it’s by no means fail safe. In the United States, organizations tend to take a fully networked approach, making a trade-off between productivity and security. As for the threat of malware in process industries, unfortunately, organizations may have to make tough choices between amplifying security and maintaining optimal productivity.

To also properly combat the threat of these attacks, the first step is to fully grasp the urgency of process control systems security. On an individual level, employees who are potential targets should be aware and given safety training, whether they are involved in the process control process or not. The training could be as basic as reminding them to be extremely careful with clicking on links in emails and on social networking sites, or banning USB flash drives from the work place. These measures can easily be enforced with software solutions policy.

However, to really tackle this problem, it will have to be addressed at an international level. The most practical approach would be for governments to come to an agreement, similar to the way they handled nuclear threats. They should commit to disassociating from developing or financing these attacks. In addition, governments need to commit to procedures to disable further participation while pledging to investigations and punish responsible parties. Going even further, corporations should band together taking a similar approach. For example, with Stuxnet all corporations that had the SCADA (Supervisory Control and Data Acquistion) of Siemens installed could share information and protection barriers.

Besides political, police and judicial organizations, the entire international industrial sector should cooperate to minimize the risks of cyber attacks. Understandably, enterprises are not keen on openly admitting that their systems have been hacked, however, other organizations will benefit from the knowledge and therefore should be encouraged. When information about a cyber attack is shared at an early stage, other companies can take measures against it. The industrial sector could also agree to fully cooperate in investigations of cyber attacks, even if this means that the production has to suffer temporarily, or that certain corporate secrets need to be disclosed to the investigators. While the last condition seems like a bitter pill to swallow, the alternative is far worse.